On July 26th, the US Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The rule defines cyber regulations that will require publicly traded companies to notify when they suffer a security breach. In addition, these companies will have to disclose details about their cybersecurity risk governance in their public filings.
At the time of this writing, affected companies have only five months to confirm their compliance plans before the new disclosure requirements take effect in mid-December!!!
The strict new regs appear to be modeled after the European Union’s General Data Protection Regulation (GDPR), considered the toughest privacy and security law in the world. The SEC intends to compel companies to notify the general public as well as the SEC within 96 hours from the moment they determine that a cyber incident has had any material impact on their business operations. The notification itself is quite demanding – it requires information on the nature, scope, and timing of the incident, as well as the “likely” material impact on financial conditions and operations.
Ouch! Sounds cumbersome and expensive and beyond the current cyber-capabilities of many companies.
And that’s just part of it. The new regs would also compel companies to disclose in their annual filings how they implement cybersecurity risk management, strategy, and governance. Not only must the board of directors detail how they oversee risks from cybersecurity threats, but they must also appoint a board committee to be responsible for the oversight.
There is even a more formidable problem – duplication of reporting. There is an overlap between the proposed SEC rule and similar incident-reporting rules already being implemented by the Cybersecurity and Infrastructure Security Agency (CISA) pertaining to critical infrastructure entities. As it stands, affected companies that experience a breach will have to notify multiple agencies of the same incident. Sounds overwhelming to us.
Resistance is Futile
To no-one’s surprise, there has been a lot of pushback against the new rule, but so far, with minor effect., Reacting to widespread company pressure, the SEC has adopted amendments that allow for two separate delays of thirty days in the notification requirement – but only if the U.S. Attorney General informs the SEC that the disclosure would pose a risk to national security or public safety. There is also a possibility of an additional 60-day delay for special emergencies.
That’s negligible relief for many companies.
No matter how you slice it, the SEC rule, whenever it eventually goes into effect, is going to burden American industrial companies with a whole new set of oppressive compliance requirements.
What to Do
From experience, we see that a great many American industrial companies and critical infrastructure operators are still early in their cybersecurity programs and are woefully unprepared for a slew of stringent SEC regs with their very aggressive implementation date. These companies are looking for a compliance solution.
There are three particular areas that companies need to address right away:
1. Know where you stand.
Many affected companies are in the dark about their own security posture. While they might have implemented certain cybersecurity tools like firewalls and intrusion detection systems, they don’t have a clue as to the risks to their operation and their impact. The new regulations are about risk assessment and management. Operators need to ask:
- What are the likely attack vectors?
- What is the potential of each vector to affect business operations?
- What is the business impact of a breach?
2. Implement a compliance program now.
There are several well established OT cybersecurity standards such as IEC 62443 and the NIST Cybersecurity Framework that offer security guidance that will satisfy the SEC regulations. Since these new regs require a description of how risk governance is performed, companies would be wise to describe their security goals in terms of these standards. For many companies, just getting started on the standards journey is a challenge. For these, we recommend quick adoption of relevant industry best practices, cyber-effective and easier to implement than the demanding standards.
3. Monitor and measure risk — continuously.
Radiflow CIARA is the first-of-its-kind ROI-driven risk assessment and management platform for industrial companies and critical infrastructure organizations. It provides full assessment of the risk posture and threat landscape to operations.
With CIARA, the company may select its target compliance program (one of the standards or relevant industrial best practices) and its implementation tier (where it currently stands on its cyber-journey). Unobtrusively, CIARA scans the network, measuring the company’s security posture against the selected standard(s) or best practices. Using thousands of data points garnered from the ICS network, assets, locale, industry, adversary capabilities, and attack tactics, CIARA calculates the per-zone likelihood of attacks and the effectiveness of corresponding risk-mitigation measures (both installed and proposed), while it accounts for the impact of attacks on the various business processes.
CIARA also delivers key indicators for risk, threat and control levels, a variety of OT- security reports, and a comprehensive hardening plan prioritized by each mitigation control’s contribution to achieving risk management goals.
Be Compliant with the SEC Rule
With CIARA, your company is well down the road toward compliance with whatever the SEC throws at you – even by the end of 2023!
Contact Radiflow to see how CIARA delivers the ultimate risk assessment and man